grpc 1.53.0 → 1.54.0

data/third_party/boringssl-with-bazel/src/crypto/refcount_lock.c

@@ -14,15 +14,14 @@
 
 #include "internal.h"
 
+#include <assert.h>
 #include <stdlib.h>
 
-#include <openssl/type_check.h>
-
 
 #if !defined(OPENSSL_C11_ATOMIC)
 
-OPENSSL_STATIC_ASSERT((CRYPTO_refcount_t)-1 == CRYPTO_REFCOUNT_MAX,
-                      "CRYPTO_REFCOUNT_MAX is incorrect");
+static_assert((CRYPTO_refcount_t)-1 == CRYPTO_REFCOUNT_MAX,
+              "CRYPTO_REFCOUNT_MAX is incorrect");
 
 static struct CRYPTO_STATIC_MUTEX g_refcount_lock = CRYPTO_STATIC_MUTEX_INIT;
 

data/third_party/boringssl-with-bazel/src/crypto/siphash/siphash.c

@@ -48,8 +48,7 @@ uint64_t SIPHASH_24(const uint64_t key[2], const uint8_t *input,
   v[3] = key[1] ^ UINT64_C(0x7465646279746573);
 
   while (input_len >= sizeof(uint64_t)) {
-    uint64_t m;
-    memcpy(&m, input, sizeof(m));
+    uint64_t m = CRYPTO_load_u64_le(input);
     v[3] ^= m;
     siphash_round(v);
     siphash_round(v);
@@ -59,18 +58,16 @@ uint64_t SIPHASH_24(const uint64_t key[2], const uint8_t *input,
     input_len -= sizeof(uint64_t);
   }
 
-  union {
-    uint8_t bytes[8];
-    uint64_t word;
-  } last_block;
-  last_block.word = 0;
-  OPENSSL_memcpy(last_block.bytes, input, input_len);
-  last_block.bytes[7] = orig_input_len & 0xff;
+  uint8_t last_block[8];
+  OPENSSL_memset(last_block, 0, sizeof(last_block));
+  OPENSSL_memcpy(last_block, input, input_len);
+  last_block[7] = orig_input_len & 0xff;
 
-  v[3] ^= last_block.word;
+  uint64_t last_block_word = CRYPTO_load_u64_le(last_block);
+  v[3] ^= last_block_word;
   siphash_round(v);
   siphash_round(v);
-  v[0] ^= last_block.word;
+  v[0] ^= last_block_word;
 
   v[2] ^= 0xff;
   siphash_round(v);

data/third_party/boringssl-with-bazel/src/crypto/stack/stack.c

@@ -67,7 +67,7 @@
 // stack.
 static const size_t kMinSize = 4;
 
-_STACK *sk_new(stack_cmp_func comp) {
+_STACK *sk_new(OPENSSL_sk_cmp_func comp) {
   _STACK *ret = OPENSSL_malloc(sizeof(_STACK));
   if (ret == NULL) {
     return NULL;
@@ -131,8 +131,8 @@ void sk_free(_STACK *sk) {
   OPENSSL_free(sk);
 }
 
-void sk_pop_free_ex(_STACK *sk, void (*call_free_func)(stack_free_func, void *),
-                    stack_free_func free_func) {
+void sk_pop_free_ex(_STACK *sk, OPENSSL_sk_call_free_func call_free_func,
+                    OPENSSL_sk_free_func free_func) {
   if (sk == NULL) {
     return;
   }
@@ -145,14 +145,14 @@ void sk_pop_free_ex(_STACK *sk, void (*call_free_func)(stack_free_func, void *),
   sk_free(sk);
 }
 
-// Historically, |sk_pop_free| called the function as |stack_free_func|
+// Historically, |sk_pop_free| called the function as |OPENSSL_sk_free_func|
 // directly. This is undefined in C. Some callers called |sk_pop_free| directly,
 // so we must maintain a compatibility version for now.
-static void call_free_func_legacy(stack_free_func func, void *ptr) {
+static void call_free_func_legacy(OPENSSL_sk_free_func func, void *ptr) {
   func(ptr);
 }
 
-void sk_pop_free(_STACK *sk, stack_free_func free_func) {
+void sk_pop_free(_STACK *sk, OPENSSL_sk_free_func free_func) {
   sk_pop_free_ex(sk, call_free_func_legacy, free_func);
 }
 
@@ -212,7 +212,7 @@ void *sk_delete(_STACK *sk, size_t where) {
 
   if (where != sk->num - 1) {
     OPENSSL_memmove(&sk->data[where], &sk->data[where + 1],
-            sizeof(void *) * (sk->num - where - 1));
+                    sizeof(void *) * (sk->num - where - 1));
   }
 
   sk->num--;
@@ -233,9 +233,24 @@ void *sk_delete_ptr(_STACK *sk, const void *p) {
   return NULL;
 }
 
+void sk_delete_if(_STACK *sk, OPENSSL_sk_call_delete_if_func call_func,
+                  OPENSSL_sk_delete_if_func func, void *data) {
+  if (sk == NULL) {
+    return;
+  }
+
+  size_t new_num = 0;
+  for (size_t i = 0; i < sk->num; i++) {
+    if (!call_func(func, sk->data[i], data)) {
+      sk->data[new_num] = sk->data[i];
+      new_num++;
+    }
+  }
+  sk->num = new_num;
+}
+
 int sk_find(const _STACK *sk, size_t *out_index, const void *p,
-            int (*call_cmp_func)(stack_cmp_func, const void **,
-                                 const void **)) {
+            OPENSSL_sk_call_cmp_func call_cmp_func) {
   if (sk == NULL) {
     return 0;
   }
@@ -355,24 +370,43 @@ err:
   return NULL;
 }
 
-void sk_sort(_STACK *sk) {
+#if defined(_MSC_VER)
+struct sort_compare_ctx {
+  OPENSSL_sk_call_cmp_func call_cmp_func;
+  OPENSSL_sk_cmp_func cmp_func;
+};
+
+static int sort_compare(void *ctx_v, const void *a, const void *b) {
+  struct sort_compare_ctx *ctx = ctx_v;
+  return ctx->call_cmp_func(ctx->cmp_func, a, b);
+}
+#endif
+
+void sk_sort(_STACK *sk, OPENSSL_sk_call_cmp_func call_cmp_func) {
   if (sk == NULL || sk->comp == NULL || sk->sorted) {
     return;
   }
 
-  // sk->comp is a function that takes pointers to pointers to elements, but
-  // qsort take a comparison function that just takes pointers to elements.
-  // However, since we're passing an array of pointers to qsort, we can just
-  // cast the comparison function and everything works.
-  //
-  // TODO(davidben): This is undefined behavior, but the call is in libc so,
-  // e.g., CFI does not notice. Unfortunately, |qsort| is missing a void*
-  // parameter in its callback and |qsort_s| / |qsort_r| are a mess of
-  // incompatibility.
   if (sk->num >= 2) {
+#if defined(_MSC_VER)
+    // MSVC's |qsort_s| is different from the C11 one.
+    // https://docs.microsoft.com/en-us/cpp/c-runtime-library/reference/qsort-s?view=msvc-170
+    struct sort_compare_ctx ctx = {call_cmp_func, sk->comp};
+    qsort_s(sk->data, sk->num, sizeof(void *), sort_compare, &ctx);
+#else
+    // sk->comp is a function that takes pointers to pointers to elements, but
+    // qsort take a comparison function that just takes pointers to elements.
+    // However, since we're passing an array of pointers to qsort, we can just
+    // cast the comparison function and everything works.
+    //
+    // TODO(davidben): This is undefined behavior, but the call is in libc so,
+    // e.g., CFI does not notice. |qsort| is missing a void* parameter in its
+    // callback, while no one defines |qsort_r| or |qsort_s| consistently. See
+    // https://stackoverflow.com/a/39561369
     int (*comp_func)(const void *, const void *) =
         (int (*)(const void *, const void *))(sk->comp);
     qsort(sk->data, sk->num, sizeof(void *), comp_func);
+#endif
   }
   sk->sorted = 1;
 }
@@ -381,11 +415,12 @@ int sk_is_sorted(const _STACK *sk) {
   if (!sk) {
     return 1;
   }
-  return sk->sorted;
+  // Zero- and one-element lists are always sorted.
+  return sk->sorted || (sk->comp != NULL && sk->num < 2);
 }
 
-stack_cmp_func sk_set_cmp_func(_STACK *sk, stack_cmp_func comp) {
-  stack_cmp_func old = sk->comp;
+OPENSSL_sk_cmp_func sk_set_cmp_func(_STACK *sk, OPENSSL_sk_cmp_func comp) {
+  OPENSSL_sk_cmp_func old = sk->comp;
 
   if (sk->comp != comp) {
     sk->sorted = 0;
@@ -395,11 +430,10 @@ stack_cmp_func sk_set_cmp_func(_STACK *sk, stack_cmp_func comp) {
   return old;
 }
 
-_STACK *sk_deep_copy(const _STACK *sk,
-                     void *(*call_copy_func)(stack_copy_func, void *),
-                     stack_copy_func copy_func,
-                     void (*call_free_func)(stack_free_func, void *),
-                     stack_free_func free_func) {
+_STACK *sk_deep_copy(const _STACK *sk, OPENSSL_sk_call_copy_func call_copy_func,
+                     OPENSSL_sk_copy_func copy_func,
+                     OPENSSL_sk_call_free_func call_free_func,
+                     OPENSSL_sk_free_func free_func) {
   _STACK *ret = sk_dup(sk);
   if (ret == NULL) {
     return NULL;

data/third_party/boringssl-with-bazel/src/crypto/thread_pthread.c

@@ -12,24 +12,21 @@
  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
 
+// Ensure we can't call OPENSSL_malloc circularly.
+#define _BORINGSSL_PROHIBIT_OPENSSL_MALLOC
 #include "internal.h"
 
 #if defined(OPENSSL_PTHREADS)
 
+#include <assert.h>
 #include <pthread.h>
 #include <stdlib.h>
 #include <string.h>
 
-#include <openssl/mem.h>
-#include <openssl/type_check.h>
-
-
-OPENSSL_STATIC_ASSERT(sizeof(CRYPTO_MUTEX) >= sizeof(pthread_rwlock_t),
-                      "CRYPTO_MUTEX is too small");
-#if defined(__GNUC__) || defined(__clang__)
-OPENSSL_STATIC_ASSERT(alignof(CRYPTO_MUTEX) >= alignof(pthread_rwlock_t),
-                      "CRYPTO_MUTEX has insufficient alignment");
-#endif
+static_assert(sizeof(CRYPTO_MUTEX) >= sizeof(pthread_rwlock_t),
+              "CRYPTO_MUTEX is too small");
+static_assert(alignof(CRYPTO_MUTEX) >= alignof(pthread_rwlock_t),
+              "CRYPTO_MUTEX has insufficient alignment");
 
 void CRYPTO_MUTEX_init(CRYPTO_MUTEX *lock) {
   if (pthread_rwlock_init((pthread_rwlock_t *) lock, NULL) != 0) {
@@ -120,7 +117,7 @@ static void thread_local_destructor(void *arg) {
     }
   }
 
-  OPENSSL_free(pointers);
+  free(pointers);
 }
 
 static pthread_once_t g_thread_local_init_once = PTHREAD_ONCE_INIT;
@@ -155,14 +152,14 @@ int CRYPTO_set_thread_local(thread_local_data_t index, void *value,
 
   void **pointers = pthread_getspecific(g_thread_local_key);
   if (pointers == NULL) {
-    pointers = OPENSSL_malloc(sizeof(void *) * NUM_OPENSSL_THREAD_LOCALS);
+    pointers = malloc(sizeof(void *) * NUM_OPENSSL_THREAD_LOCALS);
     if (pointers == NULL) {
       destructor(value);
       return 0;
     }
     OPENSSL_memset(pointers, 0, sizeof(void *) * NUM_OPENSSL_THREAD_LOCALS);
     if (pthread_setspecific(g_thread_local_key, pointers) != 0) {
-      OPENSSL_free(pointers);
+      free(pointers);
       destructor(value);
       return 0;
     }

data/third_party/boringssl-with-bazel/src/crypto/thread_win.c

@@ -12,6 +12,8 @@
  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
 
+// Ensure we can't call OPENSSL_malloc circularly.
+#define _BORINGSSL_PROHIBIT_OPENSSL_MALLOC
 #include "internal.h"
 
 #if defined(OPENSSL_WINDOWS_THREADS)
@@ -20,19 +22,14 @@ OPENSSL_MSVC_PRAGMA(warning(push, 3))
 #include <windows.h>
 OPENSSL_MSVC_PRAGMA(warning(pop))
 
+#include <assert.h>
 #include <stdlib.h>
 #include <string.h>
 
-#include <openssl/mem.h>
-#include <openssl/type_check.h>
-
-
-OPENSSL_STATIC_ASSERT(sizeof(CRYPTO_MUTEX) >= sizeof(SRWLOCK),
-                      "CRYPTO_MUTEX is too small");
-#if defined(__GNUC__) || defined(__clang__)
-OPENSSL_STATIC_ASSERT(alignof(CRYPTO_MUTEX) >= alignof(SRWLOCK),
-                      "CRYPTO_MUTEX has insufficient alignment");
-#endif
+static_assert(sizeof(CRYPTO_MUTEX) >= sizeof(SRWLOCK),
+              "CRYPTO_MUTEX is too small");
+static_assert(alignof(CRYPTO_MUTEX) >= alignof(SRWLOCK),
+              "CRYPTO_MUTEX has insufficient alignment");
 
 static BOOL CALLBACK call_once_init(INIT_ONCE *once, void *arg, void **out) {
   void (**init)(void) = (void (**)(void))arg;
@@ -131,7 +128,7 @@ static void NTAPI thread_local_destructor(PVOID module, DWORD reason,
     }
   }
 
-  OPENSSL_free(pointers);
+  free(pointers);
 }
 
 // Thread Termination Callbacks.
@@ -236,14 +233,14 @@ int CRYPTO_set_thread_local(thread_local_data_t index, void *value,
 
   void **pointers = get_thread_locals();
   if (pointers == NULL) {
-    pointers = OPENSSL_malloc(sizeof(void *) * NUM_OPENSSL_THREAD_LOCALS);
+    pointers = malloc(sizeof(void *) * NUM_OPENSSL_THREAD_LOCALS);
     if (pointers == NULL) {
       destructor(value);
       return 0;
     }
     OPENSSL_memset(pointers, 0, sizeof(void *) * NUM_OPENSSL_THREAD_LOCALS);
     if (TlsSetValue(g_thread_local_key, pointers) == 0) {
-      OPENSSL_free(pointers);
+      free(pointers);
       destructor(value);
       return 0;
     }

data/third_party/boringssl-with-bazel/src/crypto/trust_token/internal.h

@@ -71,6 +71,7 @@ typedef struct {
 // TRUST_TOKEN_PRETOKEN represents the intermediate state a client keeps during
 // a Trust_Token issuance operation.
 typedef struct pmb_pretoken_st {
+  uint8_t salt[TRUST_TOKEN_NONCE_SIZE];
   uint8_t t[TRUST_TOKEN_NONCE_SIZE];
   EC_SCALAR r;
   EC_AFFINE Tp;
@@ -93,22 +94,29 @@ DEFINE_STACK_OF(TRUST_TOKEN_PRETOKEN)
 // functions for |TRUST_TOKENS_experiment_v1|'s PMBTokens construction which
 // uses P-384.
 int pmbtoken_exp1_generate_key(CBB *out_private, CBB *out_public);
+int pmbtoken_exp1_derive_key_from_secret(CBB *out_private, CBB *out_public,
+                                         const uint8_t *secret,
+                                         size_t secret_len);
 int pmbtoken_exp1_client_key_from_bytes(TRUST_TOKEN_CLIENT_KEY *key,
                                         const uint8_t *in, size_t len);
 int pmbtoken_exp1_issuer_key_from_bytes(TRUST_TOKEN_ISSUER_KEY *key,
                                         const uint8_t *in, size_t len);
-STACK_OF(TRUST_TOKEN_PRETOKEN) * pmbtoken_exp1_blind(CBB *cbb, size_t count);
+STACK_OF(TRUST_TOKEN_PRETOKEN) *pmbtoken_exp1_blind(CBB *cbb, size_t count,
+                                                    int include_message,
+                                                    const uint8_t *msg,
+                                                    size_t msg_len);
 int pmbtoken_exp1_sign(const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs,
                        size_t num_requested, size_t num_to_issue,
                        uint8_t private_metadata);
-STACK_OF(TRUST_TOKEN) *
-    pmbtoken_exp1_unblind(const TRUST_TOKEN_CLIENT_KEY *key,
-                          const STACK_OF(TRUST_TOKEN_PRETOKEN) * pretokens,
-                          CBS *cbs, size_t count, uint32_t key_id);
+STACK_OF(TRUST_TOKEN) *pmbtoken_exp1_unblind(
+    const TRUST_TOKEN_CLIENT_KEY *key,
+    const STACK_OF(TRUST_TOKEN_PRETOKEN) *pretokens, CBS *cbs, size_t count,
+    uint32_t key_id);
 int pmbtoken_exp1_read(const TRUST_TOKEN_ISSUER_KEY *key,
                        uint8_t out_nonce[TRUST_TOKEN_NONCE_SIZE],
                        uint8_t *out_private_metadata, const uint8_t *token,
-                       size_t token_len);
+                       size_t token_len, int include_message,
+                       const uint8_t *msg, size_t msg_len);
 
 // pmbtoken_exp1_get_h_for_testing returns H in uncompressed coordinates. This
 // function is used to confirm H was computed as expected.
@@ -118,22 +126,29 @@ OPENSSL_EXPORT int pmbtoken_exp1_get_h_for_testing(uint8_t out[97]);
 // functions for |TRUST_TOKENS_experiment_v2|'s PMBTokens construction which
 // uses P-384.
 int pmbtoken_exp2_generate_key(CBB *out_private, CBB *out_public);
+int pmbtoken_exp2_derive_key_from_secret(CBB *out_private, CBB *out_public,
+                                         const uint8_t *secret,
+                                         size_t secret_len);
 int pmbtoken_exp2_client_key_from_bytes(TRUST_TOKEN_CLIENT_KEY *key,
                                         const uint8_t *in, size_t len);
 int pmbtoken_exp2_issuer_key_from_bytes(TRUST_TOKEN_ISSUER_KEY *key,
                                         const uint8_t *in, size_t len);
-STACK_OF(TRUST_TOKEN_PRETOKEN) * pmbtoken_exp2_blind(CBB *cbb, size_t count);
+STACK_OF(TRUST_TOKEN_PRETOKEN) *pmbtoken_exp2_blind(CBB *cbb, size_t count,
+                                                    int include_message,
+                                                    const uint8_t *msg,
+                                                    size_t msg_len);
 int pmbtoken_exp2_sign(const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs,
                        size_t num_requested, size_t num_to_issue,
                        uint8_t private_metadata);
-STACK_OF(TRUST_TOKEN) *
-    pmbtoken_exp2_unblind(const TRUST_TOKEN_CLIENT_KEY *key,
-                          const STACK_OF(TRUST_TOKEN_PRETOKEN) * pretokens,
-                          CBS *cbs, size_t count, uint32_t key_id);
+STACK_OF(TRUST_TOKEN) *pmbtoken_exp2_unblind(
+    const TRUST_TOKEN_CLIENT_KEY *key,
+    const STACK_OF(TRUST_TOKEN_PRETOKEN) *pretokens, CBS *cbs, size_t count,
+    uint32_t key_id);
 int pmbtoken_exp2_read(const TRUST_TOKEN_ISSUER_KEY *key,
                        uint8_t out_nonce[TRUST_TOKEN_NONCE_SIZE],
                        uint8_t *out_private_metadata, const uint8_t *token,
-                       size_t token_len);
+                       size_t token_len, int include_message,
+                       const uint8_t *msg, size_t msg_len);
 
 // pmbtoken_exp2_get_h_for_testing returns H in uncompressed coordinates. This
 // function is used to confirm H was computed as expected.
@@ -153,22 +168,28 @@ OPENSSL_EXPORT int pmbtoken_exp2_get_h_for_testing(uint8_t out[97]);
 // functions for |TRUST_TOKENS_experiment_v2|'s VOPRF construction which uses
 // P-384.
 int voprf_exp2_generate_key(CBB *out_private, CBB *out_public);
+int voprf_exp2_derive_key_from_secret(CBB *out_private, CBB *out_public,
+                                      const uint8_t *secret, size_t secret_len);
 int voprf_exp2_client_key_from_bytes(TRUST_TOKEN_CLIENT_KEY *key,
                                      const uint8_t *in, size_t len);
 int voprf_exp2_issuer_key_from_bytes(TRUST_TOKEN_ISSUER_KEY *key,
                                      const uint8_t *in, size_t len);
-STACK_OF(TRUST_TOKEN_PRETOKEN) * voprf_exp2_blind(CBB *cbb, size_t count);
+STACK_OF(TRUST_TOKEN_PRETOKEN) *voprf_exp2_blind(CBB *cbb, size_t count,
+                                                 int include_message,
+                                                 const uint8_t *msg,
+                                                 size_t msg_len);
 int voprf_exp2_sign(const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs,
                     size_t num_requested, size_t num_to_issue,
                     uint8_t private_metadata);
-STACK_OF(TRUST_TOKEN) *
-    voprf_exp2_unblind(const TRUST_TOKEN_CLIENT_KEY *key,
-                       const STACK_OF(TRUST_TOKEN_PRETOKEN) * pretokens,
-                       CBS *cbs, size_t count, uint32_t key_id);
+STACK_OF(TRUST_TOKEN) *voprf_exp2_unblind(
+    const TRUST_TOKEN_CLIENT_KEY *key,
+    const STACK_OF(TRUST_TOKEN_PRETOKEN) *pretokens, CBS *cbs, size_t count,
+    uint32_t key_id);
 int voprf_exp2_read(const TRUST_TOKEN_ISSUER_KEY *key,
                     uint8_t out_nonce[TRUST_TOKEN_NONCE_SIZE],
                     uint8_t *out_private_metadata, const uint8_t *token,
-                    size_t token_len);
+                    size_t token_len, int include_message, const uint8_t *msg,
+                    size_t msg_len);
 
 
 // Trust Tokens internals.
@@ -179,6 +200,12 @@ struct trust_token_method_st {
   // zero on failure.
   int (*generate_key)(CBB *out_private, CBB *out_public);
 
+  // derive_key_from_secret deterministically derives a keypair based on
+  // |secret| and writes their serialized forms into |out_private| and
+  // |out_public|. It returns one on success and zero on failure.
+  int (*derive_key_from_secret)(CBB *out_private, CBB *out_public,
+                                const uint8_t *secret, size_t secret_len);
+
   // client_key_from_bytes decodes a client key from |in| and sets |key|
   // to the resulting key. It returns one on success and zero
   // on failure.
@@ -191,14 +218,17 @@ struct trust_token_method_st {
   int (*issuer_key_from_bytes)(TRUST_TOKEN_ISSUER_KEY *key, const uint8_t *in,
                                size_t len);
 
-  // blind generates a new issuance request for |count| tokens. On
+  // blind generates a new issuance request for |count| tokens. If
+  // |include_message| is set, then |msg| is used to derive the token nonces. On
   // success, it returns a newly-allocated |STACK_OF(TRUST_TOKEN_PRETOKEN)| and
   // writes a request to the issuer to |cbb|. On failure, it returns NULL. The
-  // |STACK_OF(TRUST_TOKEN_PRETOKEN)|s should be passed to |pmbtoken_unblind| when
-  // the server responds.
+  // |STACK_OF(TRUST_TOKEN_PRETOKEN)|s should be passed to |pmbtoken_unblind|
+  // when the server responds.
   //
   // This function implements the AT.Usr0 operation.
-  STACK_OF(TRUST_TOKEN_PRETOKEN) * (*blind)(CBB *cbb, size_t count);
+  STACK_OF(TRUST_TOKEN_PRETOKEN) *(*blind)(CBB *cbb, size_t count,
+                                           int include_message,
+                                           const uint8_t *msg, size_t msg_len);
 
   // sign parses a request for |num_requested| tokens from |cbs| and
   // issues |num_to_issue| tokens with |key| and a private metadata value of
@@ -218,20 +248,22 @@ struct trust_token_method_st {
   // returns NULL.
   //
   // This function implements the AT.Usr1 operation.
-  STACK_OF(TRUST_TOKEN) *
-      (*unblind)(const TRUST_TOKEN_CLIENT_KEY *key,
-                 const STACK_OF(TRUST_TOKEN_PRETOKEN) * pretokens, CBS *cbs,
-                 size_t count, uint32_t key_id);
-
-  // read parses a PMBToken from |token| and verifies it using |key|. On
-  // success, it returns one and stores the nonce and private metadata bit in
-  // |out_nonce| and |*out_private_metadata|. Otherwise, it returns zero. Note
-  // that, unlike the output of |unblind|, |token| does not have a
-  // four-byte key ID prepended.
+  STACK_OF(TRUST_TOKEN) *(*unblind)(
+      const TRUST_TOKEN_CLIENT_KEY *key,
+      const STACK_OF(TRUST_TOKEN_PRETOKEN) *pretokens, CBS *cbs, size_t count,
+      uint32_t key_id);
+
+  // read parses a token from |token| and verifies it using |key|. If
+  // |include_message| is set, then the nonce is derived from |msg| and the salt
+  // in the token. On success, it returns one and stores the nonce and private
+  // metadata bit in |out_nonce| and |*out_private_metadata|. Otherwise, it
+  // returns zero. Note that, unlike the output of |unblind|, |token| does not
+  // have a four-byte key ID prepended.
   int (*read)(const TRUST_TOKEN_ISSUER_KEY *key,
               uint8_t out_nonce[TRUST_TOKEN_NONCE_SIZE],
               uint8_t *out_private_metadata, const uint8_t *token,
-              size_t token_len);
+              size_t token_len, int include_message, const uint8_t *msg,
+              size_t msg_len);
 
   // whether the construction supports private metadata.
   int has_private_metadata;
@@ -270,7 +302,7 @@ struct trust_token_client_st {
   size_t num_keys;
 
   // pretokens is the intermediate state during an active issuance.
-  STACK_OF(TRUST_TOKEN_PRETOKEN)* pretokens;
+  STACK_OF(TRUST_TOKEN_PRETOKEN) *pretokens;
 
   // srr_key is the public key used to verify the signature of the SRR.
   EVP_PKEY *srr_key;